[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Problems faced with OSSEC.

***********************
Your mail has been scanned by InterScan.
***********-***********

Hi,

 

This is the first time I am raising the query in this group.

I am using Ossec past three months and I am facing the problems since my first installation of which some are listed below.

 

1.)     I have to change the permission of the /var/ossec/log/*current log file* to READ everyday as the WEBUI shows the permission as FORBIDDEN.

I have tried using CHMOD –R 777 var/ossec/log but of no use.

Can I know what should be the permissions of the files that are installed in the /var/ossec directory?

 

2.)     I am getting the following error currently “2007/02/20 09:34:13 ossec-agentd(1214): Problem receiving message from 172.16.7.254” and due to that I am not receiving any alerts for my client on my mail ID although the same can be seen in the Current Log File and WEBUI. Also I am able to get the mail alerts for the Server. Can I know what does it means? I have tried importing the authentication keys and adding the client again and again but still the problem persists.

 

3.)     I have attached the client and server configuration for your reference. I have followed the manual for configuring the active response and the “ar.conf” file does shows an entry for “host-deny” on the server as well as the client. But still the actual blocking is not happening. Can somebody tell me what could be the possible reason for this? I have simulated the same using Nessus Scan and block the Source IP if Rule 30114 triggers.

 

4.)     I am getting the error “2007/02/19 11:16:50 ossec-remoted(1403): Incorrectly formated message from '172.16.2.35'  and

“2007/02/15 14:08:44 ossec-remoted(1407): Duplicated counter for 'À¬#ÿÿÿÿ'.

2007/02/15 14:08:44 ossec-remoted: Duplicate error:  global: 2, local: 9997, saved global: 3, saved local:3”

quite frequently which doesn’t appears once I restart both the client and server. Is this a bug and do we have to ignore this message?

 

It is high time for me since I have to deploy the same in my production and I have no explanations for these queries. Any help would be highly appreciated.

 

Thanks,

Pankaj P.

 

***********************************************************************************
This message is for the named addressees' use only. It may contain NSDL

confidential, proprietary or legally privileged information. If you receive

this message in error, please immediately delete it. You must not, directly

or indirectly, use, disclose, distribute, print, or copy any part of this message

if you are not the intended recipient.Unless otherwise stated, any commercial

information given in this message does not constitute an offer to deal on

any terms quoted. Any reference to the terms of executed transactions

should be treated as preliminary only and subject to our formal written

confirmation.
***********************************************************************************

Attachment: Ossec.rar
Description: Ossec.rar

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.